How ONLYOFFICE complies with HIPAA

We have always prioritized the privacy of our users and the security of their data. At the current stage of our project’s security policies and the data protection tools of our products, ONLYOFFICE becomes fully compliant with HIPAA requirements.

Read this post to learn what ONLYOFFICE does to guarantee compliance with the medical industry’s key data security legislation.

About HIPAA

Health Insurance Portability and Accountability Act of 1996 (HIPAA) aims at keeping patients’ Protected Health Information (PHI) safe by regulating the procedures and measures related to data privacy and security in medical organizations and their business associates.

When you wish to stay compliant with HIPAA to legally provide medical services in the USA or to state your level of data protection standards as a medical organization in general, it is important to use the software that complies with the Act.

Being a developer of ONLYOFFICE on-premises solutions, Ascensio System SIA acts as a provider of the Information System within the legislation and guarantees the compatibility of technological attributes of ONLYOFFICE with the regulated procedures.

Staying HIPAA-compliant with ONLYOFFICE server solutions

To comply with HIPAA’s requirements for handling protected health information software-wise, you must provide a number of technical safeguards, namely:

• Technical procedures and policies for giving access to the PHI to the authorized personnel and software;
• Regular audit of information systems;
• Control over data integrity and safety;
• Authentication of people and organizations requesting access to patient data;
• Mandatory security principles in PHI transfer to protect it from unauthorized access, including control over data integrity in transit and encryption of the transferred data;
• Technological policies for data carriers;
• The contingency plan in case of emergency circumstances;

ONLYOFFICE guarantees your compliance with specific HIPAA regulations related to establishing these technological safeguards thanks to solutions’ innermost composition and vast data protection functionality:

On-premises installation. ONLYOFFICE is highly secure by design: the ability to host it on-premises ensures absolute data independence and full control over any assets processed within its services.

Private Rooms and data encryption at rest. Within the network, the data is protected by reliable encryption technologies: the whole system can be encrypted at rest, while the information stored in the electronic document format can be encrypted using Private Rooms functionality that guarantees secure storage, online editing, and even real-time collaboration.

User identification and access control. ONLYOFFICE offers tools for unique user identification (flexible password criteria, 2FA, LDAP, etc.), emergency access procedures (data recovery from backup copies), automatic logoff configuration, access restriction (selected IPs, mail domains).

Read more about access controls

Data protection in transit. Data in transit between system and client is protected by the use of HTTPS protocols with up-to-date TLS encryption algorithm.

Data audit. ONLYOFFICE allows you to store and examine audit logs, oversee the user activity and login history.

Read more about data audit and login history

Data backup, migration, and erasure. It is possible to perform manual and automatic backups with parameters for backup storage destination, data copy structure, and a customizable number of backup operations in a time period (for automatic backups) and perform safe data recovery. With backup functionality, you can migrate to a new data carrier and erase the data at the previous disposition to prepare the carrier to reuse.

Read more about data backup in ONLYOFFICE

Flexible access rights. You can grant complex combinations of access rights to access the data stored on ONLYOFFICE portals. For electronic files, ONLYOFFICE allows choosing from basic (reading, viewing) and advanced (reviewing, commenting, filling forms, etc.) sharing permissions. It is possible to restrict downloading and printing of the patient data to avoid unauthorized distribution.

Read more about portal access rights

Read more about document sharing permissions

How to request information

To contact Ascensio System SIA with HIPAA compliance-related requests, feel free to reach out to our HIPAA Security Officer / HIPAA Privacy Officer in Latvian headquarters:

Timur Shugaev
Contact email: tim@onlyoffice.com
20A-12 Ernesta Birznieka-Upisha street,
Riga, Latvia, EU,
LV-1050
Phone: +371 63399867

Alternatively, you can reach out to our support team via support@onlyoffice.com.